We are currently monitoring a campaign that specifically targets government and administrative agencies in Taiwan. We are naming this specific campaign PLEAD because of the letters of the backdoor commands issued by the related malware.

The point of entry for this campaign is through email. In the PLEAD campaign, threat actors use the RTLO (right to left override) technique in order to fool the target recipient into thinking that the file extension of the unpacked file is not suspicious, i.e., not an executable.

In some cases related to the PLEAD campaign, the RTLO technique was implemented correctly, as seen in a case targeting a particular ministry in Taiwan, purporting to be reference materials for a technical consultant conference:

Figure 1. Email sent to Taiwanese government agency

When the .7z attachment is unpacked, the recipient will see two files, what seems to be a PowerPoint document and a Microsoft Word file. The RTLO technique, which basically takes advantage of a Unicode character that was created to support languages that are written right to left, is evident in the first file. By inputting the unicode command for RTLO before the P in PPT, the appearance of the complete file name makes it look like the file is a PowerPoint document, even if it is, in fact, a screen saver file.

The threat actor included an additional decoy document, the second file in figure 2, a .DOC file, whose only function is to add to the believability of the email.

Figure 2. Unpacked attachment shows RTLO trick at work with the .SCR file

To further make the victim believe that the .SCR file is a .PPT file, the .SCR file actually drops the following .PPT which only serves as a decoy.

Figure 3. The .SCR drops this .PPT file as decoy

The RTLO trick in the above case was successful, but in some cases, it was not, as in this spear phishing email belonging to the same campaign. This time the email pretends to be about statistical data about Taiwanese business enterprises:

Figure 4. Second email sample, this time sent to a different Taiwanese government agency

Figure 5. Unpacked attachment reveals that the file is an executable

We also observed the use of an exploit using the CVE-2012-0158 vulnerability, which had long been patched by MS12-027 in 2012. The vulnerability exists in Windows common controls, could allow an attacker to execute malicious code, and is a common vulnerability found in targeted attacks.

Figure 6. Third sample email uses exploit

The payloads in the PLEAD campaign are usually backdoors that first decrypt their code and inject themselves into another process. Installation differs from one sample to the next, but typically, the related backdoors will acquire the following information from the victim’s computer:

User name

Computer name

Host name

Current Malware Process ID

This is often a way for threat actors to keep track of its specific victims when it is monitoring its operations. Once a connection has been established with remote servers, the backdoor executes its commands:

Check installed software/proxy setting

List drives

Get file

Delete file

Remote shell

These commands are typical of reconnaissance activities.

We are still conducting research about the related C&Cs and malware tools in the PLEAD campaign and will be providing technical details about the breadth of this campaign. It appears that the attacks related to this campaign have been around since 2012.